malwarewikiaorg-20200223-history
ERIS
ERIS is a ransomware that was discovered by Michael Gillespie. Payload Transmission ERIS can be distributed by spam campaigns, fake/unofficial software update tools, P2P (Peer-to-Peer) networks, untrustworthy third party software download sources, trojans and illegal software activation ('cracking') tools. On July 7th, 2019, ERIS was being spread by the RIG exploit kit. A malvertising campaign using the popcash ad network redirects users to the RIG exploit kit. Infection When ERIS is installed, it will encrypt a victim's files and append the .ERIS extension. Each encrypted file contains a file marker of _FLAG_ENCRYPTED_ at the end of the file to indicate it was encrypted by the ransomware. In each folder that was scanned, the ransomware will also created a ransom note named @ READ ME TO RECOVER FILES @.txt that instructs the user victim to contact Limaooo@cock.li for payment instructions. Included in this ransom note is a unique ID that the victim must send to the ransomware developer so that they can perform a free test decryption of one file. According to the ransom message, ERIS encrypts files with the Salsa20 (RSA-1024) cryptography algorithm, and no recovery tool can restore them. It is stated that attempts to use any recovery software will cause permanent damage/data loss. The only way to restore encrypted files is apparently to purchase a decryption tool from the cyber criminals who designed ERIS ransomware. The cost of decryption is $825 in Bitcoins, and they do not accept any other currency. They will await confirmation that it was decrypted successfully and then provide further instructions about how to make payment. According to ERIS's developers, they will send the decryption tool/key after payment. The ransom message reads this: *** *** *** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES *** *** *** ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY "ERIS RANSOMWARE"! USING STRONG ENCRYPTION ALGORITHM. Every your files encrypted with unique strong key using "Salsa20" encryption algorithm: https://en.wikipedia.org/wiki/Salsa20 Which is protected by RSA-1024 encryption algorithm: https://en.wikipedia.org/wiki/RSA_(cryptosystem) shadow copy, F8 or recuva and other recovery softwares cannot help you, but cause Irreparable damage to your files! Technically no way to restore your files without our help. we only accept cryptocurrency Bitcoin (BTC) as payment method! for cost of decryption service. https://wikipedia.org/wiki/Cryptocurrency https://wikipedia.org/wiki/Bitcoin For speed and easily, please use localbitcoins website to purchase Bitcoin: https://localbitcoins.com * WE OFFER YOU 1 FREE FILE DECRYPTION (1024 KB) WITHOUT ANY COST! TO TRUST OUR HONESTY BEFORE PAYMENT. THE SIMPLE FILE MUST NOT BE ARCHIVED! -----BEGIN ERIS IDENTIFICATION----- id -----END ERIS IDENTIFICATION----- (Decryption Instructions) 1. Send your "ERIS IDENTIFICATION" with one simple of your encrypted files (1024 KB) to our email address: Limaooo@cock.li 2. Wait for reply from us. (usually in some hour) 3. Confirm your simple files are decrypted correct and ask us how to pay to decrypt all your files. 4. We will send you payment instructions in Bitcoin. 5. You made payment and send us TXID of Bitcoin transfer. 6. After we confirm the payment, you will soon get decryption package and everything back to normal. * IN CASE OF FOLLOWING OUR INSTRUCTION, FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED! BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS! BE A SMART AND SAVE YOUR FILES! NOT A FOOL! = * DO NOT MODIFY ENCRYPTED FILES * DO NOT MOVE ENCRYPTED FILES * DO NOT USE RECOVERY SOFTWARES = = (Frequently Asked Questions) Q: I can not pay for it, what I do now? A: Format your hard disk, re-install your softwares and start everything from begin! Q: What a guarantee I can recovery my files after payment? A: There is no any reason for us to do not give you decryption software and your special key. The only our goal is help you not hurt! = Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Trojan Category:Win32 trojan